Ransomed medical devices: It’s happening
The following blog is an extract from Cisco’s recent Mid Year Cyber Security Report. It highlights how cyber attackers have identified and are exploiting a niche area of healthcare technologies which carry higher levels of risk and ransomware vulnerability. Lessons can be learnt from such an attack as the methods deployed by cyber attackers could certainly be easily applied in other industries.
To operate effectively in today’s increasingly interconnected world, many businesses must integrate their IT and operational technology. Coinciding with this trend, known security weaknesses in devices and systems that were previously isolated from each other now present a greater risk to businesses. By using proven tactics like phishing emails to compromise users, cyber attackers can penetrate a network, establish a foothold in a device with an outdated operating system, and from there move laterally within the network to steal information and lay the groundwork for a ransomware campaigns.
The recent WannaCry ransomware attack illustrated how the increasing connectedness of healthcare systems and weak security practices can put both organizations and patients at risk. While it was not the first ransomware attack that appeared to target the healthcare sector, the campaign is notable in that it affected Windows-based radiology devices at some hospitals.
Threat researchers with TrapX Security warns that the targeting of medical devices with ransomware and other malware is only going to expand. It refers to this attack vector as MEDJACK, or “medical device hijack.”
The potential impact is obvious when you consider that the average small to midsize hospital with five or six operational units have about 12,000 to 15,000 devices. Of those devices, about 10 to 12 percent are IP-connected, according to TrapX.
Like many other IoT devices today, medical devices were
not, and are not, designed or built with security in mind. They are often running old and unpatched systems and are rarely monitored by hospital IT staff. Even when security teams are aware of vulnerabilities, they may not be able to act because only the vendor has access to those products. In other cases, security teams must put patching on hold because the business simply cannot afford to take critical equipment offline.
Oncology System Exploit
Many cyber criminals want to compromise medical devices, which TrapX researchers say have become a key pivot point for attackers to move laterally within hospital networks. Adversaries also know they are likely to see big returns from ransomware campaigns that hold life-saving medical devices for ransom. More nefarious actors could also, potentially, take control of these devices—including implantable devices—and do harm to patients.
In a recent exploitation of an oncology system with known Windows XP vulnerabilities, the attackers had infected three machines (one of which was used to control a powerful laser) and turned one into a botnet master that spread malware across the hospital network (see Figure 37).
Another recent incident involved a compromised MRI system via Windows XP exploit. The attackers found patient data on the system, but soon realized there was an opportunity to move laterally to gain control of the hospital’s PACS systems. (These systems are used to centralize and archive patient records and other critical information.) Forensics research of the attack showed the adversaries had been able to operate in the hospital’s network for more than 10 months.
MRI System Exploit
Windows XP is a primary underlying system for operational technology in healthcare, energy, manufacturing, and other verticals. Adversaries know the operating system is an Achilles’ heel because it is no longer actively supported by Microsoft, and it is extremely difficult and costly for businesses to update mission-critical devices that run XP. That’s what makes these devices an especially enticing target for attackers who use ransomware: They know that businesses would rather pay the ransom than face having the machine offline—or, worse, taken down completely.
Ways to tackle the threat
TrapX researchers suggest that organizations take the following steps to reduce the likelihood, and impact, of a ransomware attack that targets medical devices and other critical operational systems:
- Understand what and how many medical assets in your environment are IP-connected
- Refresh contracts with suppliers, and make sure that they are meeting promises outlined in those contracts to update or replace software, devices, and systems
- Discuss this problem at the senior management and board levels to get their attention and commitment to the process
- Deploy technology tools that provide visibility into the network and automate threat detection and remediation
Speak to one of our Experts?
We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.